We'll be right back.
We'll be right back.
We'll be right back.
Hi, I'm Bruce Schneier, and I tried dyeing my ponied hair purple for this event, but it really didn't take very well.
Yeah, I know you need to bleach it first.
I don't actually have enough hair to risk bleaching it.
So I believe if you go out in the sun and stare close, it sort of works.
We might try again tonight.
So generally the format for this, as it's been, is I answer questions.
I mean, usually you guys ask all the good questions, so I'm happy to open the floor.
No.
Come now.
There we go.
Is there anybody at the con selling Secrets and Lies?
Is there anybody at the con selling Secrets and Lies?
I don't know.
The vendor area hasn't opened yet.
Sometimes there are booksellers.
Often there are, you know, alternative booksellers.
I mean, Secrets and Lies, this isn't the book I published last October.
So.
Since when I saw you guys last and now, I had a new book out.
It's called Secrets and Lies, and it is a general security book as opposed to a cryptography book.
It came out in October.
Last I checked, it sold about 80,000 copies.
And it's available at, you know, all major bookstores nationwide.
So there's less reason.
Oh, good.
So I can wave it around.
This is not me on the cover.
As some people think.
Actually, my mother thought this was me.
This is some random actor, and it's a stock photo.
But no, probably not.
Often here we don't have real booksellers.
I mean, mainstream booksellers.
I guess those are less real booksellers.
But, you know, Amazon has it and all the other, you know, big evil corporate chains.
The question about the NASDAQ and glitches in the past two months?
The answer is probably.
You know, it's often really hard to tell.
One of the things I end up doing a lot in cryptogram is sort of trying to decipher the news stories.
And one of the biggest problems I have as a security guy is that a lot of the stuff is not made public.
It's very hard to learn from other people's mistakes because they keep their mistakes quiet.
You know, it's real different from, you know, if a 747 drops out of the sky.
You know, we all know what happens.
There's a multi-hundred page publicly available report.
On the accident and what caused it and how to make it better.
And we don't get anything nearly like that information for computer security events.
You know, were there really two glitches at NASDAQ?
Probably.
Do we know for sure?
No.
Do we know what caused them?
No.
Are we going to find out?
No.
Do we want to know?
Yes.
You know, this to me is sort of a major problem in actually getting computer security better.
We just don't have good information.
There was another hand that was there.
What's your background?
Yeah.
What is my background?
I thought you guys would know that.
The background looks like, I don't know, some cheap black velveteuid thing.
And what kind of questions?
I don't know.
I'm surprisingly opinionated.
But I usually get the crypto questions and then some random security questions.
You'll get the hang of it.
Other people will sort of let you know what to ask.
There was something way in the back.
Question on if the trick is really in implementation rather than mathematics, what's your impression of the PKI system and their security?
Of PKI?
Yeah.
Actually, I'm going to answer the question sort of in two ways.
One of the cool things about being a writer is that you can write stuff down and you never have to say it again.
And I don't mean this in anything negative.
But, you know, as someone who does a lot of writing and security, I get to...
Figure out what my thoughts are, put them in a coherent form, put them on paper, and say done.
And a couple of years ago, I did...
Carl Ellison and I, he works for Intel, did a paper called 10 Risks of PKI.
We believe that PKI is basically a sham.
It doesn't provide any security.
You know, the security it provides is very minimal.
It doesn't actually work the way it's advertised.
And it's sort of one of the big embarrassments of cryptocurrency.
And I'm a big fan of cryptography right now.
And rather than spend an hour explaining to you why that's true, I urge you and anybody else interested to read the essay.
It's on the Counterpain website.
Counterpain.com is my company.
Counterpain.com is the URL.
Up in the upper menus, you'll see Counterpain Labs, which is the research arm.
And then if you've wandered your way through publications, you'll find the paper 10 Risks of PKI.
And there, I sort of outline...
In my paper, I explain...
excruciating detail, I mean enough detail that all the PKI companies have written rebuttals to
it. Why I think PKI doesn't work and what, if anything, could we do to fix it. Carl and I are
in the midst of rewriting that paper because there actually were some good comments in the
various rebuttals and we're going to incorporate them and answer them and, you know, our
position doesn't modify a lot but there's a lot of new things to say, there's a lot more
information, a lot more lessons to be learned. There. Well, thank you. This isn't one of
those on page 76 you said A things. Okay, good.
It's a good question and people didn't hear it. I've said, and I've said it a lot, I said it
yesterday at Black Hat, that I think people are the major security problem. That in fact a lot of
it's not about the technology. One of the reasons I moved from cryptography into computer
security is I'm building this really cool math that's not actually solving the problem because
it gets screwed up in the implementation. And one of the things I believe is missing is
detection and response. In the real world you have prevention, detection and response,
and if you wander around the real world, detection and response ends up working a lot
better. And I started a company to do this a couple of years ago. One of the things he alluded
to, I, if you look at prevention as a security measure, it's very fragile. And we see this
again and again as we wander through our daily lives. You know, you go to sleep one morning,
you're secure, you wake up in the morning, someone published four new bind vulnerabilities,
you're completely insecure.
And it's nothing you did. It's security is very fragile. Because once it's broken you lose it.
The question is can we make security resilient? Can we make it robust? And I believe that part of
that, a good part of that, is detection and response. But if you think about it, if you have
enough pressure plates and motion sensors and electric eyes in your house you're going to catch
the burglar regardless of how he broke in. So good detection of security. Well what have, if you
protection and response will make individual vulnerabilities irrelevant. Because you have
a surveillance layer. And he asked a very good question. How do you implement that to deal
with insiders without screwing the trust within the organization? And I always look to the
real world. How do we do it in the real world? We just manage. If you go to your average
office, the CEO will lock his door. And here we have an internal security measure, even though
you're within the organization. People will log on, log off their computers. There will be
safes. There will be paper shredders. There will end up being a lot of physical controls, even
within an organization, because we all know an organization is not a single trusted entity.
It's naive to think that everybody in a
let's say IBM trusts everybody else within IBM. To the same degree. Because another point is
that trust is a very complex social phenomenon. It's not a single binary switch. So I believe
just as you have physical monitoring, and you go into a store and that cash register is
physically monitored because the sales clerk might be trusted, but not one whole hell of a
lot. So I think, well you just end up doing it. And you know, in some ways it's unfortunate,
because it does increase surveillance, but within an organization, you end up making
decisions between security and usability, security and functionality. And as long as we have
have good laws in place to make sure we're not overstepping any legal boundaries for
personal privacy. There are a lot of laws in the physical world what you're allowed to
surveil and what you're not. The phone company used to time operators when they went to the
bathroom to make sure they didn't use up too much time. That was considered illegal
monitoring. So you're going to have a lot of that as the courts and the businesses jostle to
figure out what's allowed and what isn't. In some ways I worry about that because the courts
don't seem very privacy friendly in the last decade or so. I used to think that the Supreme
Court would be the one body that would do the right thing and do the smart thing, but last
October I completely lost faith in that. So I don't think it will be easy. There are no easy
answers. But like anything else that involves people, it's going to be a balance.
I hope I answered that question. Oh, let's go. I'm sorry? Actually, my next book might be
another crypto book. Interesting enough. I have a co-author. We're not going to redo applied
cryptography. We're going to do a book that we're tentatively calling practical
cryptography, which will talk more about the implementation and less about the math. Here's how
you do it. Because what you do is pretty obvious, but how to do it is hard. I'm going to go right
there first.
The question was about Internet voting. Since no one heard his plug, I'll say it. I do a
monthly newsletter called Cryptogram. It's a free e-mail newsletter. Probably a lot of you get
it. Okay. Those of you who get it, you like it, right? All right. So I'm going to go ahead and
tell the others. There are flyers for it there, there, and in the back two corners by the water
pitchers. You can subscribe online or you can give me a business card. And I do this every
month. And it's a collection of interesting news tidbits I find, correcting press reports,
commentaries on different aspects of security I find intriguing. I did an essay some months
ago about digital, about computerized electronic elections, which I think would be an unmitigated
disaster.
And I had a bunch of reasons why. I laid out a pretty good picture. I'm going to Brazil to do
hearings in front of their government on the topic. Kind of neat. And the question was, given
all the responses you heard, was there anything that changed your opinion? The answer is,
unfortunately, no. I think my opinion is based on sort of how computers work. What I
advocate for those who didn't read it, I believe that hand recounts and paper ballots are required.
That as soon as you computerize something, you not only add the probability of errors, but you
lose your auditability. You can get to a state where you have something you know is wrong, but
have no way to get to correct. So I would like to see a paper ballot that could be computer
tallied, but you can always fall back on hand tally. And that's sort of the hybrid solution I
think would work. All right, I said I would go over to this area. All right. Thank you.
Thank you. I'm going to go to the next area. One and then two.
Do you mean in publishing the manuscript? Yes. Actually, I do this a lot. I'll give you a rule
to success for being a technical writer. Do not have any ego tied up in your words. It's a really
good piece of advice. So I'm going to go over to the next area. All right. Thank you. All right.
All right. Thank you. All right. So, the first thing is, before I write, before I publish
anything, whether it's a book or the essays you see in cryptogram, it goes out for peer review.
Somebody will read the essay, maybe two or three people, give me comments and I'll make changes.
For books, it'll go out to hundreds of people. You know, where I'll say here, you know, this
chapter is your bailiwick. Please read it. And I get back all sorts of comments. And I make major
changes. And I actually do this in stages. Where I'll send the book to the next room. And I'm going
out to maybe 30 people for review. And I'll get it back. I'll send it out to 30 more. So I
don't only get one set of comments, I get many sets of comments. It's iterative. And yet to
me, this is the best way because what the hell, I don't know anything. Right? And that's
not true. I don't know everything. So yes, I know you read some of my book. And you gave
me good comments. And people have different amounts of free time. Some do very
superficial, read a chapter. Some don't do it at all. Some give you back huge comments. So
you know, you get a nice little bell curve. And you get good information. So yeah, if you're
doing a tech book, especially in computer security, where there's so many things, little
pieces you don't know, I recommend. It's really a lot better to get the feedback before it's
published than after. That's sort of the philosophy. There's a question up there.
The question is whether I think that the current software engineering practice has
enough, I guess, collective wisdom in how things fail, in failure modes, that things are going to
get better. I guess is the basic question. Actually, I believe the opposite. I believe things
are going to get worse. I believe things are going to get worse. I believe things are going to get
worse much faster. We're certainly not learning from them. There are great examples of this.
Buffer overflows is my favorite. It's a 40-year-old problem. We know how to fix it. And
still two-thirds of all cert advisories are buffer overflows. We're actually not learning very
much. And I've given lectures on this last year at Black Hat. I gave an hour talk on
complexity. And I believe that, I mean, the amount of complexity that's being
added far overshadows any additional security we're getting. There are seats up front. There are
lots of seats up front. You just sort of have to walk up front and find a seat. I mean, they're
all hiding them from you in the back. But I assure you, I'm higher. I see them. So, no,
actually, I think things are getting worse. And I think things are going to get disastrous.
That I think there are some major, I mean, we're starting to see them, right, as complexity is
rising. We're seeing large system wide. We're seeing large systems being built up. We're seeing
large system wide failures. You know, we had the California power grid hacked into. Right?
This wasn't possible three years ago because it wasn't on the net. So as more critical systems
go on the public network, in this month's cryptogram, which is coming out on Sunday,
believe it or not, I talk about computer telephone integration. And the sort of disaster is
waiting for us when the phone network starts getting the reliability of the Internet. And the
problem is, you know, I'm not impressed. Oh, let's go right there.
. You know, the whole book was a surprise to me. And I sort of said this in the
forward. I'm writing the book sort of to, I mean, I wanted to write a book that was
about general security to sort of explain how a firewall works, how an IDS works, how
cryptography works, to a more general audience. Because I kept meeting idiot managers. And I
wanted a book that they could read and understand. So, and the book's divided into three
parts. The first part I talk about the general environment. You know, what the computer
security world looks like. What is the threats? Why is the Internet different than the real
world? Why is it the same? What the attackers look like? You know, what is the threat? Why is
it different? You know, what are our security needs? You know, sort of what's the
environment? Second part I talked about the different technologies, you know, ranging from
cryptography and steganography and network security things and software security things. And
I insulted PKI in there. And, you know, while writing this book, I kept, I started getting
more and more disillusioned because I'm like not having any good news. What I'm basically
saying is, well, this doesn't work and this doesn't work and here's why this doesn't work and
here's why this wouldn't work and here's what the interest land is that doesn't work now. I
this is a good book and this would never work. And I don't have any, and this does work.ios
espark.com. So I actually ended up taking a year-long sabbatical from writing the book
because I really didn't want to finish a book that was so negative. And the surprise was,
well, what does work? And this is where I go back to the real world. And the real world's kind
of surprising, because it's inherently extremely dangerous place and at the same time a very
we live in a very safe society. And trying to figure out what is it about our society that
makes us safe. It's not that we all have personal firewalls or wear body armor which would be
the equivalent. And I looked a lot at the processes of security. Very different than the
technologies of security. I'm safe in my house not because I have an Uber door lock. That's
not the reason I'm safe. It's not about the technology. So that was the biggest surprise.
And it's a very general surprise. And part three of the book, I sort of talk about solutions in
very generally about different processes. I don't know. I really enjoyed writing the book. It's a
fun book to read. There's good jokes in it, which you can't beat. It's cheap. Oh, let's go, how
about the second one in. Yes.
.
.
.
Yes. Yes. Is this the one for the rental cars or is this?
.
That's right. Okay. Using infreed to peer through devices.
.
Questions about wireless NATO 2-11. That's a great example of what I'm saying. There have been a couple of
which sort of said that the cryptography really stinks. And there was a paper out of I think
University of Maryland that said basically, well, even if you fix the cryptography, these
other security things also stink. As it turns out, it actually doesn't matter because the
system is based on a shared password you type in. So no matter how bad those things are, the
implementation is actually worse. You can brute force pretty much any 802-11 network that's
encrypted you want. And in any case, most people don't bother encrypting them. So this is a
great example. We have an example of a system that's billed as secure because of cool
encryption. We learn that the encryption is implemented badly so it doesn't actually provide
nearly the security you think it does. The protocol surrounding the encryption,
in other words, these security systems are implemented so badly that even if you fix the
encryption, you wouldn't get nearly the security you did. The implementation is so bad that even if
you fix those two things, you wouldn't get the security you think you did. And nobody
implements the security anyway. So even if you fix everything, people would use it
insecurely. I mean, I don't stand a chance against these kinds of idiots. So no, nothing has
changed.
.
And you are not, this was second from the end, you were at the end,
so I'm going to go to the person I wanted the first time.
Thank you.
And the internet is by nature global.
I mean, I talk about this in actually chapter two of my book.
It's a big difference between the internet and the real world.
The fundamental global nature of the net makes a lot of our existing system of doing laws,
which are based on proximity.
I mean, I walk up to you, I hit you over the head, I take your money.
We know where to arrest me.
We know where to try me.
You don't have that same kind of proximity when someone's in St. Petersburg
and they're in the middle of nowhere.
You know, attacking Citibank's computers through France.
And that is a big problem and there is no easy solution.
There really isn't.
It's a very big, it's a big difference.
And his last point, and his last point's a very good one,
that where are the lobbying groups for the hackers?
Well, unfortunately, and I've been involved in this for a bunch of years,
we're basically screwed.
There's not a whole lot of money lobbying for personal privacy.
There's not a whole lot of money lobbying for privacy, for liberty, for freedom,
for openness, for information sharing.
I mean, there's lots of people lobbying for closed, for proprietary,
for copyright enforcement, for draconian rules for this, that,
and the other thing, for surveillance.
I spend a considerable amount of time doing lobbying for, on the good side.
And, you know, we get a lot of,
we get a lot of airtime.
You know, I actually, I can get access to a congressman and talk to them
in a way that a company would have to spend a lot of money in campaign contributions to get.
So I do get more access
because I'm on the side of personal privacy
and of freedom and liberty, and those are, like you know, good things.
But a lot of it, unfortunately, is lip service.
I mean, we saw this in spades
in all of these, the, the DCMA and Napster and digital copyright.
right. If you look at where the solution space surrounds, it surrounds where the money
is. And we have a very, very hard problem, especially now in the past, you know, to me it's
last 20 or so years when lobbying dollars and lobbying, to a much greater degree than
before, makes laws. Lawmakers are much less likely now to do what's right and much more
likely to do what gets them votes or money. Actually money, because you can always buy
votes. I don't mean that in the bribing people, but in paying for a campaign. You know,
Americans have very short memories and you just need money. And this is bad. I'm not very
optimistic in the near term about us being able to maintain the freedoms and liberties we
have in the real world, even maintaining them in cyberspace.
You know, let alone getting new freedoms and liberties. We see this in, you know, sometimes we've
won. You know, we seem to have beaten back carnivore, but it'll come back under a new name. You
know, we, when the DCMA, Digital Lending Copyright came out, I was one of the people fighting
for the carve out for research. We got a carve out, but it's so badly defined, that doesn't
actually work. We've gotten changes in the European Union. We've gotten changes in the European
Cybercrime Treaty, to prevent some of their more draconian surveillance ideas. But these things
come back again and again. You never actually win. You know, once the government or the FBI or
Disney gets a power, they never actually let go. But if we're fighting for personal freedom,
every time something happens, we have to keep fighting. And, you know, I wish I had the power to
fight. I wish I was more optimistic. I will continue to fight the good fight. But I am, it's, it
is a tough battle. There's a question way in the back. I will not be able to hear you, so if you
move forward, and meanwhile, you had your hands up. Question is about Two Fish. Let's see, I
forget where we were last year. Two Fish, which is an algorithm I wrote, was one of the finalists
for the AES, which was the government replacement for DES. And I think it was last, so I think
we talked about that last summer. Last spring, NIST chose a differing algorithm called RingDial
to be AES. It was one of the good ones, I think it was a great choice. I have nothing but good
things to say about NIST and the process. What happens to Two Fish? You know, same thing that
happens to all the other algorithms that are out there. It's being used by some people, by some
companies. On the Two Fish website, web page on the counterpane site there's a list of products that are
use two fish. It's out there. It won't get nearly widely as used. I will not get all the fame
and glory of being chosen to AES. But it was still way fun. It's free. It's public domain just
like a good half a dozen other algorithms. So it will go on. It will probably fall out of
favor in a number of years. It's still good. It's still secure. I still like it. But you
really want to use the standard. That's the point of standards. If someone was asking me what
should I implement, I would say implement the standard as opposed to implementing something
other than the standard. All right. Now that you're closer. How do I feel about SDMI? This is
a secure digital music initiative. Yeah, it's one of the watermarking techniques. I wrote about
this in Crypto Game a few months ago, I think. It's just as stupid as all the others. One of the
problems ‑‑ if you see this on the Internet, it's a little bit of a problem. It's a little bit
of a problem. So let's think about watermarking. It's an interesting idea. There's sort of two
ways to do watermarking. The idea is I'll take a digital file that's lossy, you know, an image or
music or video, and I'll embed identifying information in it. I can do a positive or
negative watermark. I can embed information about you, the legal owner. You buy a copy of
The Little Mermaid, it's got your name embedded in it, and you can't delete it so that if you
post it on the net, Disney knows who to sue. You can't delete it. You can't delete it. You can't delete it.
That's one way to use a watermark. A bunch of problems with that, one, often the person who
commits the crime doesn't have any deep pockets. I mean, I can go out in the street, give some
street person $20, say, go in there, buy a digital copy of The Little Mermaid and give it to
me. So now I have a copy with his name on it. No one can sue him. He doesn't have any assets.
And that sort of problem pervades. Or I could steal your little copy of The Little Mermaid, and I
post it. Right? You're not culpable. So the positive watermarks, they don't actually make
sense. The negative watermark is where you start putting code in the media player. If this
watermark doesn't appear, don't play it. Then you put code in the copying mechanism. If this
watermark appears, don't copy. Or more robustly, if a copy is made, the watermark is destroyed.
And that's more the SDMI approach. This stuff is really scary. I believe the entertainment
companies actually don't like computers because they're much too scary, much too general, much
too useful. What they want is what I've termed an internet entertainment platform. Right?
That's what they want you to have. Very, very much. Because an internet entertainment
platform, they could control. Right? The only way to make this watermark work is to have a
controller. Is to extend the control to the hardware. Because otherwise, you'll be able to take
it out, you'll be able to manipulate it. The other big problem is actually making the watermark
robust. And that's actually very, very hard to do. We don't know how to do that yet. Even
assuming you did. I came out very strongly against SDMI. You know, I thought it wouldn't work
unless you had these draconian hardware changes. Now all through to the speakers of your stereo.
And there was a great art in that. You know, there was a great art in that. There was a great art
in Discover a number of months ago. I mentioned in the cryptogram where some author, you know,
took SDMI to its logical conclusion. Right? You'd have to have these SDMI enabled recorders and
speakers. And then you'd also have to outlaw non-SDMI enabled recorders and speakers. You'd
have to actually tag every piece of content. Otherwise the system would fail. This is a tough
battle. Where we're fighting a lot of very, very, very, very, very, very, very, very, very, very,
very big money. I mean, and this is companies like Disney that actually had U.S. copyright law
changed when the old Disney cartoons were going into the public domain. I mean, this is a lot of
lobbying money. And they very strongly believe that digital content is the death of what they
own. And they need to control it. I believe the controls won't work. They're causing us all
sorts of grief. They're actually causing us a lot of grief. They're actually causing us a lot of
grief. They're actually hurting computer security in a very general way. And we need on all
fronts to fight this. I mean, the stuff that was done, you know, I did a testimony for the DCSS
case for 2600 Magazine. I'm constantly fighting these battles. Constantly writing and
speaking about this. Because it's a big deal. You asked a question already. You didn't.
Or if you did, I don't remember you. Can I explain the vulnerability in solitaire
not without graduate mathematics? Actually, I can. For people who don't know, this is sort of a
fun story. I did an encryption. This is something I've been trying to do for years. I wanted to
come up with an encryption algorithm that you could use in the field. That you could implement
with pencil and paper.
yet would be secure against computers. The notion would be some spy in a third world
country would need to encrypt messages back home and would be concerned about the secret
police. And for a while I worked on algorithms that involved pocket calculators and
weird and transcendental functions trying to get something that was useful. And I don't
know, sometime it came to me that a deck of cards is actually a really cool, easy way to
store a permutation. A 54 element permutation, including the Jokers. So I built an
algorithm around ‑‑ okay, you have an announcement? All right. Do you want to ‑‑ is
it important enough? So I built an algorithm around a deck of cards, called it Solitaire.
Sometime around when I was finishing the work, I, you know, I was talking to Neil
Stevenson, and I told him the story, he said, cool, I'll put that in my next book. And
that's kind of neat. So the algorithm appears in the book. I have an appendix in Neil
Stevenson's, this is in Cryptonomicon. I have an appendix in his book. I did a couple of
book signings with him in Chicago and Minneapolis and I learned, much to my chagrin, that
cyberpunk writers get way better groupies than cryptographers do. By a lot. And so the
algorithm is there. About a year ago, maybe a year and a half ago, someone pointed out that
there is a bias in the output. It's not really a vulnerability. We haven't actually been
able to break messages using the bias. But it's certainly something I should fix. And
and I am in my copious free time going to come out with Solitaire 2. Basically the output is
not as random as it should be because of the way the mechanisms work. There is a pretty easy
fix, but actually I want to test the fix a lot more than test the first fix. Once you start
attaching yourself to somebody's book, suddenly you're behooved to the fiction publishing
schedule, which sort of was a surprise. But there's a lot of math to the vulnerability, but
that's the basic intuition. There's a bias in the output. And now we pause for a very, very
special announcement. I think he's going to yell at you for something. Oh, you're good. By
the way, cryptographers do it mathematically. Is that a plus or a minus? I don't know.
You're the cryptographer. The question was, was it a plus or minus?
So all you girls out there, flock him later.
That's K, not G. I'm sorry.
That's with a K, not with a G.
That's correct. We don't want any K girls. We want G girls.
I'm sorry?
I said that's with a K, not with a G.
No, someone else said something about copulation.
No, that's the same joke I made.
Okay, I'm sorry. I thought I was putting Bruce under glass or something like that. Okay.
Yeah, I am actually here to yell at you. What a surprise. It's already 1135.
And this will be my second yelling of the day.
There are people walking around right now strongly encouraging you with flyers and so on and so forth
to cause various mayhem and discontent within the hotel.
They're also encouraging you to beat up the staff.
And pick on the feds.
Thank you, citizen.
Jay.
I would strongly encourage you not to do that.
I would also strongly encourage you to, as non-violently as possible, discourage these individuals from doing that.
We like this hotel. This hotel kind of likes us at this point.
Does anyone not want to be here next year?
To show of hands.
Okay. Very funny. Ha ha.
A couple smart asses in the back. You can kick his ass later.
Did you... Waving at... Hi, how are you? Good to see you.
Oh, okay. Stand up, sir.
Go ahead, sir.
You had the balls to say it. Now you better back it up.
Open season.
Is there anything else stupid that you want to tell us not to do?
Well, you see...
It's kind of funny you mention that, because...
Obviously, this speech is meant for you.
It's kind of like the caution hot signs on the McDonald's coffees.
We're supposed to be the bright folk.
Right? The uber-hackers, right? You know, the smart ones.
If you think you should be banging rocks together in the parking lot to make fire...
The newbie track is downstairs.
I mean that jokingly.
My four-year old niece
can break lights and steal the soap boxes out of the bathrooms.
Okay?
I expect you people to be hacking the PBX.
.
.
.
Not that I'm advocating that you hack the PBX, but...
At least not this hotel's.
I expect you to be breaking his algorithms.
I don't expect you to be stealing light bulbs.
And think about it.
If you're stealing the soap dispensers from the bathroom,
you probably should be washing your hands.
Because you're obviously one of those guys...
We have a special room for you.
It's got some rope ladders and some swings, bananas.
You can throw feces at each other.
Kind of like the telco guys, you know, at Pac-Bell and stuff like that.
Seriously, please.
We like this hotel.
This hotel has been very good to us.
As I mentioned before, unless you want to be in Salt Lake City, Utah,
next convention, and if you're not Mormon, take it from me, it sucks.
I've been there.
In the dead of winter.
And it sucked.
And I'm not Mormon.
Not that Mormonism is a bad thing.
We're going to get kicked out.
And that kind of stuff has just got to stop.
So please, one, encourage your friends to return the lights they've stolen and the soap dispensers.
You have a general amnesty on anything you've taken.
Bring it to me or one of the other staff.
We will not beat you.
We will not get angry at you.
We will not yell at you.
We'll probably look at you like, what the hell were you thinking?
But you can bring it back with impunity.
We just want to give it back to the hotel.
If you do see some wanker walking around with...
beat up the feds, remember they do carry guns, and you don't.
And they will shoot you.
And we can't do anything about that.
But there's a whole Darwin thing going on there.
So actually, let me take that back.
Those of you dumb enough to go beat up on a fed, go for it.
Open season.
Please.
All you feds, if you've got a presidential hunting license, no bag limit.
You are authorized up to it.
Including tactical nuclear devices.
Again, please encourage them to stop.
Please encourage them to give the stuff back.
And please con responsibly.
I realize we're all a bunch of 13-year-olds of all ages.
But let's be smart 13-year-olds.
Okay?
Let's not be 4-year-olds.
Are there any questions?
Sorry, are there any smart questions?
Anyone?
Yes, sir.
You need to talk to me right now.
No questions?
None at all?
I turn it back to the very sexy Bruce.
Actually, he's got a point.
It's tough because we're sort of walking a fine line
between what's legal and illegal.
What's allowed and not allowed.
Sort of where you walk the line and where you don't.
So it determines whether this conference lives or dies.
And I kind of like it.
And if you guys like it, stick around.
Oh.
Actually, so you've listened.
Do you know what kind of questions to ask?
Where'd you go?
You left.
Ah, well.
Guess it wasn't the right kind of questions.
Oh, let's go for the red shirt.
You're talking about how SQMA is a...
You're talking about how SQMA is a...
...a crappy piece of legislation
because it's gonna manage a little bit of work
and eventually it will fall apart.
That the media companies are afraid that technology is gonna
basically kill their profit plan
and their profit plan is gonna kill their income
because of the content they're putting out.
Do you see...
Do you have an idea of something that would work?
Or do you believe that, in a theoretical sense,
something that would be developed that would satisfy
both the interests of all of us,
and the interests of all of our properties?
Is it...
Is it...
Is it a real good question?
If people didn't hear it, he's asking about,
well, if SQMA and, ah,
copyright protection doesn't work,
certainly the media companies are afraid they're gonna lose
their content and they're gonna stop producing it.
So what will work?
It's an interesting question.
Ah, I did...
There's a paper I wrote called Street Performer Protocol.
It's on...
It's on my publications page,
where I looked at this question.
The basic idea is,
is there any way to make money with content,
other than the scarcity model?
But the whole model that the music industry,
the movie industry,
is selling the each.
Right?
Selling the CD.
Selling the tape.
Selling the performance.
And how else can you make money?
Well, it turns out there are lots of ways to make money.
I mean, television is a great example.
Television never worked on the selling the each model.
You bought a TV,
you turn it on,
and you got all the content for free.
So there was an advertising model that made that work.
You go to public television,
there's a public funding model that makes that work.
And you wander around,
there are lots of other models.
There's a recency model.
Right?
Ah, Bloomberg stock data is free.
But if you want it,
in the next 10 seconds,
you're gonna pay for it.
Another interesting model.
Ah, you know,
look at the Grateful Dead.
Giving away concert tapes.
It's okay to...
It's okay to tape the concert.
It's okay to give it away.
We're gonna sell the live performances,
but we're gonna give away the content
of those performances.
Ah, there's patronage funding.
Right?
Stephen King saying,
you know,
I'm gonna write this book.
Ah, I want you to pay me
when you download it.
If you pay me,
I'll write it.
If you don't, I won't.
But you can do that.
The newspaper is a good example.
You know,
when you buy a newspaper,
you don't actually pay for the newspaper.
That quarter or 30 cents
is sort of just a price of admission.
Actually,
it costs a lot more
to make a paper.
But it's mostly
an advertising model.
And it's also
an aggregation model.
Right?
You...
Someone might be buying
the Corsair puzzle.
Someone else is buying
the sports section.
Someone else is buying
the movie listings.
But the paper is sold
as a coherent whole
because each part
ends up subsidizing
the whole.
And you could go
on the website
and get all that content
for free.
But you want it
in a...
in paper form.
So,
what you're buying
is the packaging.
So,
yes,
there are lots
of other models.
There are different models.
I believe,
fundamentally,
digital content
changes
the rules
of content.
Because bits
are copyable.
I'm sorry.
They are.
We cannot
change that.
It's like
making
water
not wet.
And those
businesses
that will thrive
in the digital
media age
are those
that align
their profits
with the
natural laws.
And not
those
that try
to fight it
with the
DCMA,
with SDMI,
with all
of these
basically dykes
that are trying
to hold back
the tide.
The tide
will come.
So,
just try
to think
smart.
How can we
make money
despite?
Now,
I love
the bands
that will perform
and say,
you know,
we want to make
money to
make it.
And there's
an example.
They could
eventually
actually give
the CD
away.
In a lot
of ways,
my book
when I was
a consultant
was an 800
page business
card.
If Wiley
didn't own
the rights,
I would have
given my
book away
because it
got me
consulting
work.
So,
yes,
there are lots
of other ways
to make money
that aren't
selling the
each,
that aren't
the scarcity
model.
But you've got
to think
about them.
And unfortunately,
the record
companies and
media companies
want to protect
an enormously
draconian
business
where they
screw a lot
of artists,
where they make
a lot of money
and they do it
in the way
they're used
to doing it.
And they don't
want to think
differently.
They want to think
the same.
Who do I
like?
Let's go to
someone I can
hear.
Right there.
No,
you.
Yes,
you.
.
.
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A couple
points I'll
talk about.
One is the notion
of due diligence.
And yes there is
one in cyber space.
these days is don't do any worse than your neighbor. What does it mean when a company
said, we did due diligence, it means we bought a firewall, maybe we have an IDS. Doesn't
mean we're actually secure. Because that's what the minimal standard is. The more
interesting point you made in the beginning where you said, am I calling for more law?
Those who heard me yesterday, I talked about the need for law enforcement. Am I calling
for more laws? I'm actually not. We're now in a society where technology changes too fast
for laws to catch up. Back in the previous century, certainly the first half of the
previous century, you had very few technological advances that happened very slowly. So you
could really invent a telephone and then take five or six years to figure out what are
wiretapping laws? What does search and seizure look like on a telephone? What's the difference
between eavesdropping and trap and trace? And that's exactly what happened. And it took a
good long time. Changes are happening too fast now for that. We actually need to be able to
make laws that are technologically invariant. And I didn't make this point yesterday and
this is a point I actually will make when I go in front of the congressional committee on
Monday. Laws need to be technology invariant. If we make technologically specific laws,
they will become obsolete in a year, in two years, in six months. And in a lot of ways we have
all the laws we need. Breaking and entering is a crime. We don't need a cyber breaking and
entering law. We've already got a breaking and entering law. We've already got a
harassment law. We've already got laws against confidence tricking. We've already got
pornography laws. We don't need new ones. Because the Internet shouldn't have different laws. It
should have the same laws. They just need to be applied in a reasonable manner into this new
environment. And this is going to happen more and more. Peer to peer is now different. You start
getting new things on the net. There will be interactive video soon. Is that different? Who the
hell knows? It needs to be the same. So I'm not advocating more laws. Whenever Congress starts
making laws, I get worried. Because then you've got all of the lobbying. You've got all of the
influences on the law. I'd rather have the courts figure out how to prescribe the laws. How to
implement the laws in a coherent manner.
I'm much more confident that will be done fairly. Nothing is perfect. We're going to be screwed
little bits here and there no matter what. But I think we have a better chance of getting out of
this okay if we let the courts do it rather than Congress. Or like the President or something.
There's a problem with taking defense in your own hands. It's very jurisdictionally isolated.
Things that we can do in the United States are very different than things you can do in France.
There's very different things you can do in Saudi Arabia. So those laws, what is taking your defense
is different. I wrote a little bit about counterattack in Cryptogram like two months ago.
The notion of not just defending yourself as being in a hard shell, but actually actively
defending yourself. Retaliating. Which is sort of what your analogy is of having a gun for
personal defense. You're using an offensive weapon to retaliate against an attacker in defense.
That's real hard to do on the net. We can go through the technical reasons, but they're there.
Presumably this will become easier. You're going to have the same problems you're going to have in the
real world. What if you retaliate and you hit the wrong person? That's going to be a big issue.
Especially on the net where people can cloak themselves in other people. Where people can steal
other people's identities. So we're going to have to deal with that. What constitutes enough
probable cause that a citizen can retaliate? You're going to have the jurisdictional boundaries.
An attacker coming from this country versus that country. Going through a third country. I believe
we are going to have international cyber space laws and treaties. We have to. But still there are
going to be lots of domestic sensibilities. And there will be domestic sensibilities about
content. If you're a country like China or Singapore. There will be domestic sensibilities about
different moralities. Maybe you're Saudi Arabia or Afghanistan or the United States. There will be
major differences in what's considered security. And then there will be major differences in what's
it proper. And my fear is we're going to get the net that's the lowest common denominator.
When the government of Germany complains to eBay about having Nazi memorabilia on sale, I
don't want the solution to be for it to disappear from the entire world. Because then you
end up with the minimum of what everybody allows. What you want is the maximum. This is
hard to do. And I don't think we're going to solve it any time soon. But those are some of
the issues that you have to deal with. I would love to get your question and I'm not going to
hear it unless you're really, really loud. Yeah, yeah. I don't speak sign language and my
interpreter left. That's a yes. I know that's a yes. I can't be loud. My question is who is
going to be the global Internet lawmaker? Who is going to be? Who is the
global Internet lawmaker? Don't know. There any number of candidates, the UN, the
has tried to do some of this. G7 has tried to do some of this. ICANN, the commercial
world has tried to do some of this. ITF has tried to do some of this. I don't know. It's
going to be some combination. If you look at some of the really good global laws, a lot of
them are just informal treaties. You look at GATT. You look at a lot of the maritime, the
bills of lading. There's an enormous amount of international law involving shipping. What it
means to buy a product on their dock and have it shipped across an ocean to your dock. What
happens in the middle? And there are commodities like oil which might change ownership,
seven or eight years from now. What are the changes? In the middle, there are commodities
times as the tanker goes from point A to point B. Now, there's no global body that
establishes these rules and laws. It's conventions, it's agreements, it's treaties.
So you're probably going to have some sort of mishmash like that. I mean, it would be
great if the world government could do it, but we ain't got no world government, and it
ain't coming any time soon. I mean, you know, the UN's going to try, and they'll
probably get some things done. But, you know, there's too much minutiae.
Maybe it should be more distributed. It should be more like a martial law.
Yeah, and some of the... Right, and some of those other ways are more distributed,
some of the bilateral treaties, the IETF-type solutions.
Corporations have policies, not laws. Perhaps policies could govern jurisdictions
territory.
Yeah, and policies do.
They do in many areas of commerce that end up not being laws, but they're common
practices. You get odd collisions, though. You know, there's... When the typewriter was
invented, there was a number of years where we figured out what it meant to have a typewritten
contract. If you think about it, contracts are handwritten, so you know who wrote it, and
they're signed. What does it mean when a contract is typed? Can it be forged? Do you have
to sign every page or just the last page? Which is actually a really good question. And, you
know, there are some countries that are sign every page countries, and there are countries
like the United States, which are just signed the last page countries. And there were cases
where there were contracts where one jurisdiction held them invalid and one jurisdiction held
them valid, because of the different rules about what it meant to sign a contract. So,
you're going to... I think you're going to have those sorts of distributed conventions, if
not laws, or, you know, maybe formalized into treaties, maybe just business conventions. I mean, a
lot of what the oil industry does are conventions. They just know how they do business, and
it's the way it works. You get that at a lot of trading floors. You know, go visit the New York
Stock Exchange or NASDAQ. There are no... There aren't laws that govern what goes on in the
pits, but there are very strong conventions, and they have dispute resolution. It's all like a
government, except it's private. So, yeah, you could have some of that, and there are examples of
that working and failing. The net's so tough because it's so global. I mean, you guys are in
it. You know, I mean, everybody played by the rules, right? If everybody was a good sheep, you
wouldn't need copy protection. But there are always people who are going to push the rules, and
this is a good thing. I'm not saying this is bad, but you'll always have an element that will
push the rules. So, there will always be the drive to make the rules more formal and more
enforceable. I have to... I have to... I have to... I have to... I have to... I have to... I have to
go. It's time. I am here all weekend. Most likely I'm outside because I like... Actually, I like the hot sun.
Thank you. Again, I have flyers to my newsletter in the four corners. There, there, there, and there.
Or you can give me a business card or your e-mail address. Thank you.
Thanks for listening. This is... I mean, this is always fun. I love doing this. Thanks.
